Security

Reply
Occasional Contributor II
Posts: 51
Registered: ‎12-16-2014

Clearpass Radius Certificate - Replace internal with GoDaddy

[ Edited ]

Hello, thanks for your help.  We have an SSID with 802.1x WPA2 auth.  Currently when windows laptops connect to the SSID they have to uncheck "validate server certificate" in order to not get a warning when they sign on to the wifi.  Our clearpass RADIUS certificate is from our Active Directory domain controller/CA.  Our clearpass server's hostname for sake of argument is clearpass.corp.abc.biz   We have a wildcard cert from godaddy that is for *.corp.abc.biz    

If I replace the current Clearpass RADIUS server certificate (from our Active Domain Controller) with the GoDaddy cert, will this cause any disruption to our wifi clients?  Will they have to "forget" the wifi network and reconnect?  Will this cause authentication to fail?  Thanks.

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Clearpass Radius Certificate - Replace internal with GoDaddy

You cannot use wildcard certs for .1x on windows devices



Thank you,
Troy Arnold
Sorry for any typos sent from my mobile
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Radius Certificate - Replace internal with GoDaddy

[ Edited ]

You should not use a wildcard certificate for RADIUS. You will need to request a standard SSL certificate.

Once you do that, since clients are configured to not validate the cert ( not recommended), the clients should still be able to authenticate successfully.

 

Also, it sounds like you are referring to the informational box that pops up asking you trust the certificate? Using a public certificate will not stop this message. This is a normal part of EAP-PEAP. The only way for that message to not appear during the first connection is to preconfigure your clients using something like Group Policy, Profile Manager, MDM, QuickConnect, etc.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 51
Registered: ‎12-16-2014

Re: Clearpass Radius Certificate - Replace internal with GoDaddy

[ Edited ]

Thanks guys.  We currently have to uncheck this box in order to sign on to the wifi.  I was hoping by replacing my Clearpass Radius certificate (from my Domain controller) with the GoDaddy one that we would no longer have to uncheck this box.  But maybe this is not the case?  Thanks.

 

step 7.jpg

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Radius Certificate - Replace internal with GoDaddy

Yes. You should never uncheck validate server certificate or clear the server name check.

 

How long have you been running it this way? It's a huge security risk. You might want to have your users change their passwords once you deploy the new certificate.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: